diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:31 +0100 |
| commit | eeb3752074edcb110cd3709689e818b57fd2d2fd (patch) | |
| tree | 757dc45a5f840c8b76acf1906868d8e1c4bbbd72 /bootstrap.sh | |
| parent | 3d263bdbb48e7616a12af26ef094e5a416f9a735 (diff) | |
| download | dotfiles-eeb3752074edcb110cd3709689e818b57fd2d2fd.tar.gz dotfiles-eeb3752074edcb110cd3709689e818b57fd2d2fd.tar.bz2 dotfiles-eeb3752074edcb110cd3709689e818b57fd2d2fd.zip | |
feat(privesc): drop classic sudo via AssumeInstalled
base-devel hard-depends on the sudo package, so without help, pacman
refuses to remove it. The Arch-native fix is pacman.conf's
AssumeInstalled directive: tell pacman to pretend a virtual
sudo=99.0 is installed and base-devel's dep is satisfied without
actually pulling sudo in.
- etc/pacman.conf: AssumeInstalled = sudo=99.0
- bootstrap.sh: after 'just init' (which writes the AssumeInstalled
line and installs sudo-rs), Rns the leftover sudo package so a
fresh install ends up with sudo-rs only.
Also reformat bootstrap.sh and the etc deploy script with the
project's shfmt style (-i 2 -ci -s).
Diffstat (limited to 'bootstrap.sh')
| -rwxr-xr-x | bootstrap.sh | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/bootstrap.sh b/bootstrap.sh index ead79e6..17f7af4 100755 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -67,16 +67,21 @@ else fi # 5. run just init — this deploys chezmoi, installs the 'base' meta list -# (which pulls in sudo-rs), deploys /etc/sudoers-rs and /etc/pam.d/sudo, -# creates /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at +# (which pulls in sudo-rs), deploys /etc/sudoers-rs, /etc/pam.d/sudo, +# and the AssumeInstalled = sudo line in /etc/pacman.conf, creates +# /usr/local/bin/{sudo,su,visudo,sudoedit} symlinks pointing at # sudo-rs, and installs git hooks. -# The classic 'sudo' package installed in step 2 stays alongside -# sudo-rs as a safety net; remove it manually with `sudo pacman -Rns -# sudo` once you've verified `sudo --version` reports sudo-rs. cd "$DOTFILES_DIR" log 'running just init' just init +# 5b. remove the classic sudo package — base-devel's dependency is +# satisfied by the AssumeInstalled = sudo line written above. +if pacman -Qq sudo >/dev/null 2>&1 && pacman -Qq sudo-rs >/dev/null 2>&1; then + log 'removing classic sudo (sudo-rs takes over)' + sudo pacman -Rns --noconfirm sudo || warn 'failed to remove sudo; remove it manually later' +fi + # 6. refresh pacman mirrorlist once via reflector (config deployed by chezmoi) log 'refreshing pacman mirrorlist via reflector' sudo reflector @/etc/xdg/reflector/reflector.conf \ |